Cybersecurity Handoff Register
Status: Active working register Owner: BionicLoop engineering Last updated: 2026-04-06 12:37 EDT
1. Purpose
Track the concrete cybersecurity artifacts and open items needed for the engineering-owned software handoff package.
This register complements CybersecurityPlan.md by turning inherited-control claims, BionicLoop-owned local controls, provenance needs, and missing artifacts into explicit tracked rows.
2. Current Handoff Boundary
In scope for the current software handoff package:
- BionicLoop-owned local telemetry/export/file-handling controls
- documented inherited-control reliance for Dexcom G7 and Omnipod DASH interfaces
- provenance and version-tracking requirements for embedded local packages
- explicit statement of what cybersecurity claims are deferred from this package
Deferred from the current software handoff package:
- formal closure of cloud-upload verification
- protected API, provider, role, password-recovery, session-restore, and auth-failure continuity closure (
SRS-SEC-003..009)
Not engineering-owned in this pass:
- manufacturer or FDA-owned supplier evidence packages
- formal quality approval workflow
- final submission assembly
3. Inherited Control Register
| Item | Relied-Upon Property | Current Repo Evidence | Artifact Still Needed | Current Status | Next Owner |
|---|---|---|---|---|---|
| Omnipod DASH device link security | Device-side command/session security and encrypted pod command transport | EnDecrypt.swift, MessageTransport.swift, PodComms.swift show LTK-backed encrypted DASH transport handling in shipped code. | Insulet/FDA-cleared cybersecurity or interoperability artifact, or approved supplier summary identifying the relied-upon control. | Documented locally; external artifact still needed. | Receiving quality/submission team to obtain supplier artifact; engineering to keep repo linkage stable. |
| Dexcom G7 device link security | Device-side authenticated G7 session behavior | BluetoothServices.swift exposes the dedicated authentication characteristic and service boundary used by the local G7 integration. | Dexcom/FDA-cleared cybersecurity or interoperability artifact, or approved supplier summary identifying the relied-upon control. | Documented locally; external artifact still needed. | Receiving quality/submission team to obtain supplier artifact; engineering to keep repo linkage stable. |
| Official Dexcom application alarming | Dexcom app remains the source of truth for CGM alarming and urgent-low alarming behavior | SoftwareRequirementsSpecification.md SRS-ALERT-015 and BionicLoop_IFU_v1.4.md explicitly state that Dexcom remains the source of truth for CGM alarming. |
Formal citation package for the Dexcom app behavior relied upon by the study/submission team. | Software boundary is documented; external citation still needed. | Receiving quality/submission team. |
OmniBLE provenance |
Local pump communication package provenance, upstream lineage, and local delta must be known | Local source exists in repo, and Cybersecurity_SOUP_Provenance_Review.md now records the likely public upstream repo URL, a likely upstream import commit basis, and the shipped local delta summary; Cybersecurity_Embedded_Package_Delta_Review.md now records the reviewed security interpretation of the local transport/pairing delta. | Any available upstream tag/release mapping for the identified import basis. | Likely upstream import commit identified; shipped local delta summary documented; curated delta review completed; tag/release mapping still open. | Engineering. |
G7SensorKit provenance |
Local CGM communication package provenance, upstream lineage, and local delta must be known | Local source exists in repo, and Cybersecurity_SOUP_Provenance_Review.md now records the likely public upstream repo URL, a likely initial import commit, a traced later upstream sync basis, and the shipped local delta summary; Cybersecurity_Embedded_Package_Delta_Review.md now records no security-semantic local delta in the reviewed BLE/auth/logging surfaces. | Any available upstream tag/release mapping for the identified import/sync basis. | Likely upstream import/sync commits identified; shipped local delta summary documented; curated delta review completed; tag/release mapping still open. | Engineering. |
LoopKit provenance |
Shared local dependency provenance and shipped local delta must be known | Local source exists in repo, and Cybersecurity_SOUP_Provenance_Review.md now records the likely public upstream repo URL, a likely upstream import commit basis, and the shipped local delta summary; Cybersecurity_Embedded_Package_Delta_Review.md now records no security-semantic local delta in the reviewed auth/keychain/logging surfaces. | Any available upstream tag/release mapping for the identified import basis. | Likely upstream import commit identified; shipped local delta summary documented; curated delta review completed; tag/release mapping still open. | Engineering. |
4. BionicLoop-Owned Local Control Register
| Control Area | Current Implementation / Observation | Evidence in Repo | Evidence Still Needed | Current Status |
|---|---|---|---|---|
| Token and credential storage | Auth tokens and stored credentials are persisted in iOS Keychain with kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly. |
AuthSessionNetworking.swift | Formal inspection note or STR-style evidence showing the intended Keychain attributes are what ship in the handoff baseline. | Implemented; formal handoff evidence still needed. |
| Protected request behavior | Protected API requests attach bearer tokens and retry once after 401 using token refresh. |
AuthenticatedAPIClient.swift, AuthSessionNetworking.swift | None for current package scope because auth/API closure remains deferred; retain as implementation context only. | Deferred from current package closure. |
| Telemetry outbox persistence | Cloud telemetry outbox uses bounded local persistence and retry/permanent-failure handling. | CloudTelemetryReporter.swift, CloudTelemetryOutbox.swift | If cloud scope is re-opened later, formal evidence for persistence, retry, and failure handling. | Documented as implementation context; cloud closure deferred. |
| Local CSV export | Step CSV export remains development-only and is written as plain UTF-8 into the app Documents directory. | LoopTelemetryStore.swift, SoftwareRequirementsSpecification.md SRS-SEC-001..002, Cybersecurity_Local_File_and_Permission_Review.md, Cybersecurity_Baseline_Acceptability_Recommendation.md |
Formal TV-SEC-001 evidence package and receiving-team acceptance of the documented investigational conditions, or hardening before broader release. |
Review and recommendation documented; formal evidence and final receiving-team decision still needed. |
| File-sharing/open-in-place surface | App enables UIFileSharingEnabled and LSSupportsOpeningDocumentsInPlace, increasing exposure of any Documents content. |
Info.plist, Cybersecurity_Local_File_and_Permission_Review.md, Cybersecurity_Baseline_Acceptability_Recommendation.md | Explicit receiving-team decision on whether the documented investigational posture is acceptable for freeze, or product hardening before broader release. | Review and recommendation documented; final decision still needed. |
| Logging discipline | Current logging avoids dumping bearer tokens directly and redacts request query strings. | AuthenticatedAPIClient.swift, CloudTelemetryReporter.swift, AuthSessionNetworking.swift, Cybersecurity_Logging_and_Secret_Review.md, Cybersecurity_Baseline_Acceptability_Recommendation.md | Receiving-team acceptance of the current investigational debug/logging posture, or further sanitization if auth/cloud scope is later re-opened. | Review and recommendation documented; broader auth/cloud closure remains deferred. |
| Permissions/background modes | App currently uses Bluetooth-central background mode and Bluetooth usage descriptions. | Info.plist, Cybersecurity_Local_File_and_Permission_Review.md | Explicit decision on whether the reviewed permission surface is acceptable for the frozen baseline. | Review documented; decision still needed. |
5. Current Open Handoff Actions
| Action | Why It Matters | Current Owner | Target Outcome |
|---|---|---|---|
Capture upstream provenance for OmniBLE, G7SensorKit, and LoopKit |
Without provenance and local-delta tracking, inherited software claims are weak and SBOM/dependency review is incomplete. | Engineering | Controlled provenance record tied to the handoff baseline SHA, building from Cybersecurity_SOUP_Provenance_Review.md and Cybersecurity_Embedded_Package_Delta_Review.md, with remaining closure limited to any available tag/release mapping. |
| Obtain supplier/FDA artifact linkage for DASH and G7 relied-upon controls | Repo code alone is not enough for handoff-grade inherited-control claims. | Receiving quality/submission team with engineering support | Approved external artifact references linked from the cybersecurity package, using Cybersecurity_Supplier_Artifact_Request_List.md as the prepared request matrix. |
| Produce SBOM/dependency snapshot for handoff baseline | Required to support software dependency review and later vulnerability monitoring. | Engineering | Current dependency inventory now exists in Cybersecurity_Dependency_Inventory.md, and the generation/ownership process is now recorded in Cybersecurity_SBOM_and_Advisory_Process.md; remaining need is freeze-time execution. |
Promote TV-SEC-001 evidence into formal lane |
Current in-scope export/file-handling claim still lacks formal promoted evidence. | Engineering | Formal evidence package referenced from the RTM, executed using Cybersecurity_TV_SEC_001_Freeze_Execution_Checklist.md. |
| Record baseline acceptability decision for current local export/file-sharing/logging posture | The package now includes a documented engineering recommendation, but the receiving team still needs an explicit freeze-time disposition. | Receiving quality/submission team with engineering support | Freeze-time disposition recorded against Cybersecurity_Baseline_Acceptability_Recommendation.md. |
| Write local file-handling and least-privilege review notes | File-sharing exposure and Documents-based export need explicit acceptance rationale and operator controls. | Engineering | Completed by Cybersecurity_Local_File_and_Permission_Review.md; remaining need is baseline decision / formal evidence promotion. |